Skip to content

Legal Responsibilities When Collecting ID Documentation

When running your business, you may want to ask customers to provide their personal information to you. If you do so, you must meet your privacy obligations when collecting, using, storing or disclosing this information. In this article, we look at what legal responsibilities you may have when asking customers for a copy of their ID documentation or scanning their biometric information.

Are You An APP Entity?

The Australian Privacy Act 1998 (Cth) and the Australian Privacy Principles (APPs) impose certain obligations on any business considered to be an APP entity. Whether or not your business is an APP entity will determine how you collect and handle your customers’ ID documentation.

An APP entity is any entity which:

  • must comply with the APPs; or
  • voluntarily opts to comply and is therefore considered an APP entity.

One of the main factors in determining whether a business needs to comply with the APPs is the value of its annual turnover. If your business’ annual turnover is more than $3 million, you are an APP entity. This applies regardless of whether your business is for-profit or not-for-profit.

If your annual turnover is less than $3 million, you may still be an APP entity if you:

  • are a health service provider;
  • are related to a larger body corporate;
  • exist as a Commonwealth contracted service provider;
  • run a residential tenancy database;
  • operate a credit reporting business; or
  • choose to comply with the APPs voluntarily.

This list does not cover all the exceptions, which may mean you need to comply with the Privacy Act. It can also be difficult to determine whether you fall under one of these exceptions. Accordingly, it is always best to get legal advice on the position of your business under the Privacy Act

How Can an APP Entity Handle ID Documentation?

If you are an APP entity, you will need to handle ID documentation as per your privacy obligations. You are only allowed to scan and copy ID documentation if it is reasonably necessary to a function or activity of your business. To assess this, ask yourself: does the nature of your business call for the need to identify an individual? Note that you are not allowed to scan ID documentation if sighting it would be sufficient. 

Nature of Business

If you run a shop selling fruit, the identity of customers who purchase your fruit is not relevant to the nature of your business as there are no regulations around who can purchase fruit. Your key concern is only whether they have the correct funds to purchase your fruit.

Reasonably Necessary to Business Activities

You may need to collect or copy ID documents if your business provides a service that requires trust between two parties. For example, you may operate a babysitting marketplace platform which allows parents to source babysitters.

Parents naturally want to know that they will be leaving their children with trustworthy babysitters. In order to provide this certainty to parents, you may ask babysitters joining the platform for their identification documents, references and Working with Children Check.

Sighting of ID is Sufficient

If you are running a pub, there are laws which impact to whom you can sell alcohol. These laws mean that you need to verify a customer’s identity to confirm they are who they claim to be and are over 18 years of age. Often, sighting a driver’s licence to check for date of birth and to match the patron’s face to the ID will be sufficient. However, if your pub has been subject to underage patrons using fake IDs, sighting IDs may not be sufficient. Instead, you may need to scan that ID to verify its authenticity.

Continue reading this article below the form
Loading form

How Do I Notify My Customers?

As an APP entity, you have an obligation to notify your customers before scanning their ID, detailing:

  • who you are;
  • why you are scanning their ID;
  • whether it is something you are required or authorised to do by law; and
  • the consequences if they refuse to allow you to scan their ID.

An easy way to inform your customers is by covering these details in your privacy policy and making this document easily available. Your privacy policy should also cover how:

  • your scanning works;
  • you store the information, including details of any data security measures;
  • your customers can access and correct their information if required; and
  • your business will destroy or de-identify personal information collected.

You should also detail when, how and why you may disclose customer information to third parties.

What If I Am Not an APP Entity?

ID documentation provides a lot of sensitive information about an individual. So even if you are not an APP entity, think about whether the collecting and handling of ID information is reasonably necessary for your business’ functions or activities. 

Furthermore, have a policy in place detailing the practices set up to protect the personal information you collect. Also ensure you conduct your operations according to the policy. This will build trust with your customers and minimise the risk of losing clients over unprofessional data practices.

Key Takeaways

An APP entity has particular obligations under the Privacy Act when collecting ID documentation. Therefore, it must make sure collection is reasonably necessary to its functions or activities and that it is only scanning ID documentation if sighting is not sufficient. There are many steps an APP entity should take to protect ID information collected, including ensuring it has an up-to-date and comprehensive privacy policy. 

If you need advice on whether your business needs to comply with the Privacy Act, or how to draft a privacy policy, get in touch with LegalVision’s online lawyers on 1300 544 755.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Jacqueline Gibson

Jacqueline Gibson

Read all articles by Jacqueline

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards